Allele Security Alert
ASA-2019-00113
Identifier(s)
ASA-2019-00113, CVE-2019-6465
Title
Zone transfer controls for writable DLZ zones were not effective
Vendor(s)
Internet Systems Consortium (ISC)
Product(s)
BIND
Affected version(s)
BIND 9.9.0 -> 9.10.8-P1, 9.11.0 -> 9.11.5-P2, 9.12.0 -> 9.12.3-P2, and versions 9.9.3-S1 -> 9.11.5-S3 of BIND 9 Supported Preview Edition. Versions 9.13.0 -> 9.13.6 of the 9.13 development branch are also affected.
Fixed version(s)
BIND 9.11.5-P4
BIND 9.12.3-P4
BIND 9.11.5-S5
Proof of concept
Unknown
Description
Controls for zone transfers may not be properly applied to Dynamically Loadable Zones (DLZs) if the zones are writable.
A client exercising this defect can request and receive a zone transfer of a DLZ even when not permitted to do so by the allow-transfer ACL.
Technical details
Unknown
Credits
Unknown
Reference(s)
CVE-2019-6465: Zone transfer controls for writable DLZ zones were not effective
https://kb.isc.org/docs/cve-2019-6465
Multiple BIND CVEs disclosed (CVE-2018-5744, CVE-2018-5745, CVE-2019-6465)
https://seclists.org/oss-sec/2019/q1/146
CVE-2019-6465
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6465
CVE-2019-6465
https://nvd.nist.gov/vuln/detail/CVE-2019-6465
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 26, 2019